General Questions
This change will impact you if you store card details for future payments. You can also refer to the Decision Tree that can be found at the location detailed in Q4.
You, or the third party you use, must:
• Obtain the cardholder’s consent for the initial storage of their credentials, and|
• Use appropriate data values (Stored Credential Indicators) to identify the initial storage of the credential and the subsequent usage of that stored credential.
Details of the consent agreement requirements can be found in our Stored Credentials Guide. The data value information can be found in our Stored Credentials – Technical Implementation Guide. Both can be found at the location detailed in Q4.
Consent Agreements
Strong Customer Authentication
From 14th September 2019, a new regulatory requirement comes into effect that will impact the way payments take place. From this date, all payments will have to be validated using Strong Customer Authentication (SCA). SCA requires a cardholder to authenticate themselves for a transaction using at least two independent factors. These factors can be:
• Something the customer knows (for example a PIN number or password)
• Something the customer is (biometrics, such as a fingerprint or voice recognition)
• Something the customer is in possession of (for example a card or a mobile phone)
For ecommerce transactions, this can be achieved by using 3D Secure. For more details, please refer to the PSD2 and Strong Customer Authentication Technical Implementation Guide, which is on our website at www.globalpaymentsinc.co.uk. You’ll find it within our Customer Centre, under the Strong Customer Authentication tile.
An authentication request is how you verify the cardholder is the rightful owner of the card. It happens first before the authorisation request. In a face to face environment this would be by chip and PIN. In Ecommerce generally its 3D Secure, and a PSP will make that request for you. After the customer has been authenticated then you can request authorisation for the payment to be made.
An authorisation message is how you request payment for the goods or services that you sell. This is the message that you send to Global Payments that we forward on to the issuer (via the card scheme) on your behalf. The issuer approves or declines the authorisation.
There are three scenarios when you’ll need to perform SCA with a Stored Credential Transaction:
• The first transaction, when you store a cardholder’s credentials for the first time, must be subject to SCA, either via 3D Secure for ecommerce or chip and PIN if it’s performed in a customer facing environment
• All Cardholder Initiated Transactions should be subject to SCA or explicitly exempted
• If you incorrectly flag a Merchant Initiated Transaction and the card issuer can’t be sure that it’s exempt from SCA, then they may respond to the authorisation request with a return code value of 65 requesting you perform SCA. Until you do so, the authorisation request will be declined.
Mail Order and Telephone Order (MOTO) transactions are out of scope for SCA. Provided that they’re correctly flagged as MOTO and Stored Credential Transactions, both the first transaction, and subsequent (Customer Initiated Transactions) can be made by mail order or telephone order.
For subsequent Stored Credential Transactions that are merchant initiated (when the first transaction was performed by MOTO) then they should be flagged correctly – as Stored Credential Transactions and with a Merchant Initiated Transaction SCA Exemption Flag.
In all scenarios, it’s important that the Scheme Reference Data from the initial MOTO transaction is stored and submitted with the subsequent transactions ensuring that the card issuer can trace the transactions back to the original one and know that it was an approved MOTO transaction.
Technical Changes
Any transactions processed using a stored credential, must contain the data values that are explained in the Stored Credential -Technical Implementation Guide located on our website at www.globalpaymentsinc.co.uk. You’ll find it in the Customer Centre under the option for Stored Credential Transactions.
All Customer Initiated Transactions will be subject to SCA from 14th September 2019 and all Merchant Initiated Transactions will need to be flagged as SCA exempt to avoid card issuers challenging the transactions. The technical requirements for the changes needed are explained in PSD2 and Strong Customer Authentication Technical Implementation Guide, which is on our website at: www.globalpaymentsinc.co.uk. You’ll find it within our Customer Centre, under the Strong Customer Authentication tile.
Under the terms of your Card Processing Agreement with us, it is your responsibility to ensure that your card processing equipment meets industry standards. You can find further details on this in your Merchant Operating Instructions in the ‘Using Your Own Equipment’ section (on page 19). This states that “It is your responsibility to ensure that your card processing equipment meets industry security standards. You must carry out, and bear the cost of all upgrades to your equipment which we, or your terminal supplier, may reasonably request from time to time. This includes any developments required to meet changes to Card Scheme Rules. Failure to meet these changes will result in non-compliance with some of these regulations and may incur charges or penalties and increase your chargeback exposure.”
Also, in your Terms of Service under clause 12, we may vary your Card Processing Agreement to comply with Card Scheme changes to operating regulations, which you must adhere to. You can find a copy of the Terms of Service at: https://globalpaymentsinc.co.uk/CPSD. The Merchant Operating Instructions can be found on our website at www.globalpaymentsinc.co.uk. You’ll find this document in the Customer Centre under the option for Card Processing.
Help with card terminals, stationery,
Ecommerce Portal, chargebacks, security metrics, pricing, invoicing.
Phone +44 (0) 345 702 3344 *
9am - 6pm, Mon - Fri exc. public holidays.
For help with payment gateway call us on:
UK +44 (0) 203 026 9659
Ireland +353 (0)1 702 2000
Regular support lines: 8:30am - 6pm, Mon - Fri.
Call us 24/7 for emergency support.